Storing Medical Records: Essential Australian Legal Insights

If your business handles health information - whether you’re a clinic, allied health provider, telehealth platform, NDIS provider, fitness studio, or an employer holding fit‑for‑duty certificates - you’re responsible for storing medical records correctly.

This isn’t just best practice. In Australia, health information is classed as sensitive and is protected by privacy laws that set strict rules for how you collect, use, disclose, secure and dispose of medical records.

In this guide, we’ll walk through the key laws, retention timeframes and practical steps for secure storage. We’ll also highlight the core documents and policies you should have in place so you can confidently manage medical records and focus on delivering great care and services.

What Counts As A Medical Record (And Who Needs To Comply)?

Under the Privacy Act 1988 (Cth), “health information” is a type of sensitive information. In simple terms, a medical record is any record that identifies (or can reasonably identify) a person and relates to their health, disability, healthcare provided, or health services paid for.

Common examples include:

• Clinical notes, diagnoses, treatment plans and referrals
• Pathology or radiology results and specialist letters
• Allied health assessments (for example, physiotherapy, psychology, dietetics)
• Telehealth notes, recordings, chat logs and wearable data that identify a person
• NDIS participant information and progress notes
• Employee medical certificates, pre‑employment health information and functional assessments

Even if you’re not a traditional healthcare clinic, you may be handling health information. For example, gyms and wellness businesses often record injuries and exercise contraindications, and HR teams may hold medical certificates and return‑to‑work plans. If it’s health information about an identifiable person, privacy rules will generally apply to how you handle it.

Which Australian Laws Apply To Medical Record Storage?

Several legal frameworks may apply. Which ones matter to you depends on your business model, where you operate and whose data you hold. Here are the key ones to understand.

Privacy Act 1988 (Cth) And The Australian Privacy Principles (APPs)

The Privacy Act sets national rules for private sector organisations, including the Australian Privacy Principles (APPs). Health service providers are covered regardless of annual turnover, so the usual small business exemption doesn’t apply if you provide a health service.

Key obligations include:

• Only collect health information if it’s reasonably necessary and lawful (APP 3)
• Notify individuals about your collection practices (APP 5)
• Securely store and protect records from misuse, loss and unauthorised access (APP 11)
• Provide access to, and correction of, records when requested (APPs 12–13)
• Limit overseas disclosure and ensure comparable protections when sending data offshore (APP 8)

To meet APP 1 and 5, publish a clear and current Privacy Policy and provide a concise Privacy Collection Notice at or before the time you collect health information.

Employee Records Exemption (Employment Context)

There’s a common point of confusion in the employment space. Private sector employers have an “employee records exemption” under the Privacy Act for certain acts and practices related to current and former employee records, where the records are directly related to the employment relationship.

What does this mean in practice? Many APP obligations may not apply to how you handle those specific employee records, but:

• The exemption does not cover prospective employees, contractors or volunteers.
• Other laws still apply (for example, workplace health and safety, surveillance and discrimination laws, and any applicable state health records laws).
• Best practice is to safeguard employee health records to a high standard and limit access on a strict need‑to‑know basis.

If you collect medical evidence from staff, set clear boundaries and store it separately from general HR files. Your processes should be documented and consistent with your lawful purposes.

State And Territory Health Records Laws

Some states have additional health records laws that sit alongside the Privacy Act. The two most prominent are:

• New South Wales: Health Records and Information Privacy Act 2002 (HRIP Act)
• Victoria: Health Records Act 2001 (HRA)

These schemes apply based on your activities in those states (for example, providing a health service in NSW or Victoria). Simply “storing records there” isn’t the trigger on its own - it’s about whether your organisation is carrying on activities caught by the local scheme.

Victoria’s HRA prescribes minimum retention periods for private sector health service providers (more on retention below). NSW’s HRIP Act imposes strict handling rules through Health Privacy Principles and relevant codes, but minimum retention timeframes are more nuanced and influenced by professional and clinical standards. Always check the rules that apply to your organisation type and location.

Notifiable Data Breaches (NDB) Scheme

If you experience a data breach that is likely to cause serious harm (for example, lost unencrypted patient files or a compromised patient database), you’ll need to assess the breach and - if thresholds are met - notify affected individuals and the Office of the Australian Information Commissioner (OAIC) under the NDB scheme. A tested Data Breach Response Plan makes this faster and reduces risk.

Cloud Storage And Overseas Disclosure

Using cloud platforms is common, but it may involve overseas data storage or access. APP 8 requires you to take reasonable steps to ensure overseas recipients do not breach the APPs. Due diligence, data residency controls and strong supplier contracts - often via a Data Processing Agreement - are critical.

How Long Should You Keep Medical Records?

Retention isn’t one‑size‑fits‑all. You need to consider federal privacy rules, state health records laws, clinical standards and insurer requirements. As at the time of writing:

• Victoria’s Health Records Act generally requires private sector health service providers to retain adult records for a minimum of 7 years from the last entry.
• For minors in Victoria, retain records until the person turns 25 (that is, until their 25th birthday) or for 7 years from the last entry - whichever is later.
• In NSW, minimum retention periods are not prescribed as a blanket rule in the HRIP Act for all private providers. In practice, professional standards and codes commonly require at least 7 years for adults and, for minors, until age 25 - but you should confirm the specific requirements for your profession, sector and any applicable codes.
• Other jurisdictions may have guidance through professional boards, clinical colleges or industry bodies that recommend similar or longer timeframes.

These are minimums. Your insurer, contracts or clinical standards may require longer storage. When your retention period ends, securely dispose of records (for example, cross‑cut shredding of paper and certified destruction of digital data). Your approach should be documented in a clear retention and destruction schedule. For broader planning when you hold mixed personal data, many businesses also maintain a schedule aligned with data retention laws in Australia.

Practical Steps To Store Medical Records Securely

Security is not just an IT task - it’s a legal requirement. The APPs require you to take “reasonable steps” to protect health information. What’s reasonable depends on the sensitivity and volume of data, your size and your risk profile. Here’s a practical roadmap.

1) Lock Down Access

• Apply role‑based access so staff only see what they need to do their job.
• Use unique logins, strong passwords and multi‑factor authentication (MFA).
• Maintain an access register and promptly revoke access when roles change or staff leave.

2) Encrypt And Secure Your Systems

• Encrypt records at rest and in transit (including backups and portable devices).
• Patch systems promptly, run endpoint protection and monitor for intrusion.
• Segment environments (production vs test) and avoid using live patient data in testing.

3) Choose Compliant Platforms And Vendors

• Assess EHR/EMR, telehealth and cloud providers for security certifications, access logging and data residency controls.
• Put strong contracts in place (security standards, confidentiality, breach notification, audit rights and deletion on exit), often via a Data Processing Agreement.
• Plan for vendor exits - ensure you can retrieve data in a usable format and require secure deletion at the end of the relationship.

4) Train Your Team

• Provide onboarding and refresher training covering privacy obligations, secure handling, phishing awareness and incident reporting.
• Limit the use of personal devices and personal email for handling medical records.
• Set clear do’s and don’ts in your Information Security Policy and internal procedures.

5) Plan For Incidents

• Maintain a tested Data Breach Response Plan and a clear escalation path.
• Define thresholds for isolating systems, communicating with stakeholders and notifying individuals and the OAIC under the NDB scheme.
• Keep incident logs and complete post‑incident reviews to harden controls.

6) Don’t Keep More Than You Need

• Collect only what’s necessary, and de‑identify where possible for analytics or training.
• Apply a retention schedule and securely dispose of records when the minimum period expires.
• If you also store cardholder data, implement extra safeguards beyond health data controls in line with your obligations for storing payment information.

7) Handle Access And Corrections Promptly

• Verify identity before providing access or making corrections and respond within reasonable timeframes.
• Keep a log of requests and your responses for accountability.
• Explain your process in your Privacy Policy so individuals know how to make access, correction or complaint requests.

Documents And Policies To Put In Place

Having the right documents in place helps you meet legal obligations and manage day‑to‑day risk. If you provide a health service, run a digital health platform, or hold health information in the course of your business (including as an employer), consider the following.

• Privacy Policy: Explains what health information you collect, why, how you use and disclose it, and how people can access or correct their records. A tailored Privacy Policy is a core APP 1 requirement and should reflect your actual data flows.
• Privacy Collection Notice: A concise notice shown at or before collection, setting out who you are, the purposes of collection, lawful bases and key rights. Use a Privacy Collection Notice in forms, onboarding and telehealth intake.
• Medical Release Consent Form: If you need to obtain or share records with other providers, insurers, employers or family members, use a clear, specific Medical Release Consent Form that captures scope, purpose and duration.
• Information Security Policy: Sets rules for access control, encryption, device use, third‑party apps, backups and incident response. An Information Security Policy gives your team practical guardrails.
• Data Breach Response Plan: A practical playbook for containing, assessing and notifying breaches under the NDB scheme, including roles and timelines. Formalise this through a Data Breach Response Plan.
• Data Processing Agreement (DPA): When you use IT vendors (EHR, telehealth, cloud) to store or process medical records, ensure your contracts include privacy and security obligations via a Data Processing Agreement.
• Records Retention And Destruction Schedule: Document your minimum timeframes by data type and how/when you securely dispose of records after the period ends, aligned to the regimes that apply to you.
• Internal Procedures: Create simple procedures for identity verification, access/correction requests, clinical record‑keeping standards, bring‑your‑own‑device (BYOD) and offboarding.

Depending on your model, you may also need patient terms or service agreements, platform terms for a digital health app, and employment contracts and policies for your staff. If you’re collecting employees’ health information for operational reasons (for example, return‑to‑work plans), mirror the safeguards above in your HR documentation and limit internal access on a strict need‑to‑know basis.

Common Scenarios To Get Right

Telehealth And Remote Work

Telehealth lets you reach more people, but it can increase security risk. Choose a video platform that’s fit for clinical use, supports end‑to‑end encryption and provides admin‑level controls (for example, disabling guest recording). Only record sessions where it’s necessary and lawful, and store any recordings within your encrypted environment with strict access controls. Make sure patients receive your Privacy Collection Notice before the session.

Sharing Records With Third Parties

Only disclose health information where you have a lawful basis. Outside emergencies, that typically means informed, specific and time‑limited consent (ideally in writing). A clear Medical Release Consent Form is the practical tool here. When sharing with your technology vendors, ensure your contract includes robust privacy, security and breach clauses (often via a Data Processing Agreement).

Using AI Or New Analytics Tools

De‑identify data wherever possible before analysis or model training. If you plan to use identifiable records, check that the use aligns with your stated purposes and is reasonably necessary. Update your Privacy Policy if your purposes change, and build safeguards (access controls, audit logging, human‑in‑the‑loop reviews) into your workflow.

Responding To A Suspected Breach

Act quickly to contain and assess. Identify what data is involved, who is affected and the likelihood of serious harm (consider sensitivity, encryption and who obtained the data). Your Data Breach Response Plan should map exactly how to make that assessment and when to notify affected individuals and the OAIC.

Employers Handling Health Information

Employers should only collect and store employee health information where it’s reasonably necessary and lawful for employment‑related purposes (for example, managing leave entitlements or workplace safety). Remember the employee records exemption has limits - it doesn’t cover prospective employees or contractors - and it doesn’t remove your obligation to keep data secure.

Limit access to a need‑to‑know basis, store information separately from general HR files, and use short, focused collection notices when you request medical evidence. Above all, only collect what you genuinely need to fulfil a legitimate employment purpose.

Key Takeaways

• Health information is sensitive and tightly regulated in Australia. Health service providers are covered by the Privacy Act regardless of turnover, and some states (notably NSW and Victoria) add extra rules for organisations operating there.
• The employee records exemption under the Privacy Act applies only to certain acts and practices related to current and former employee records, and it has limits. It doesn’t remove the need to secure those records or cover prospective employees or contractors.
• Retention periods vary. Victoria prescribes minimums (7 years for adults and, for minors, until age 25 or 7 years from last entry - whichever is later). NSW requirements are more nuanced and shaped by professional standards - confirm what applies to your sector.
• Reasonable steps for security usually include access controls, encryption, MFA, vendor due diligence, staff training, a tested incident response plan and a clear retention and destruction schedule.
• Get the basics in place: a clear Privacy Policy, a concise Privacy Collection Notice, a robust Information Security Policy, a practical Data Breach Response Plan and vendor protections via a Data Processing Agreement.
• When disclosing or analysing data, prioritise consent, de‑identification and strict access controls. Only keep what you need for as long as you need it, then securely dispose of it.

If you’d like a consultation on storing medical records in Australia - from drafting a Privacy Policy to setting up a Data Breach Response Plan - you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.